A lean approach to compliance: Minimum viable privacy program

As we are all explicitly aware, privacy and data protection compliance is not a one-time job. It is a continuous process. The key is to build a sustainable compliance model, thereby creating a proactive culture that responds effectively to privacy-related matters.

Currently, there is a data protection hype in Turkey.

With the new data protection legislation in force, almost all companies are in a rush to ensure that they are compliant with the law because of the hefty fines and criminal consequences that might lead to imprisonment.

To be fair, personal data protection, even though only in theory, did exist before the new legislation. But now, it will be enforced with particular standards set out by law and will have to be considered as regular business practice.

This creates a huge problem.

From ground zero to full compliance

The current issue in Turkey is that before the enactment of the new legislation, most clients had not even put an ounce of thought into the protection of personal data. In sharp contrast, the new legislation requires, at least in theory, a high level of privacy and data protection awareness, as well as strong procedures to ensure compliance. This basically means that achieving the ideal level of compliance will require a seismic shift in the way that companies do business in Turkey.

This is what Turkish privacy professionals are dealing with right now. Our task is to bring these companies from ground zero to full compliance, and if history is any guide, this will not be easy.

Methodology is key

When the job requires grueling effort toward building a sustainable compliance model, one tends to plan each step of the way with pedantic attention to detail. Policies, surveys, forms, software, hardware... there is no end to it.

This is exactly why compliance projects end up aiming for a staccato transition between ground zero and perfect compliance. I have strong incentives to believe that this is wrong.

We must remember that there is no single solution that can mitigate all privacy and data protection risks. There is simply no "one-size-fits-all" strategy. The key building block of a sustainable compliance model is to fine-tune it to the unique needs and characteristics of the business, and perfectionism does not help in this regard when adopted right at the beginning.

What's more is that such "fine-tuning" can also become quite problematic. Data mapping exercises, data flow charts, interviews and all that work helps to get familiar with the data practices of a business. But the problem is that building the "perfect" model will simply not be possible before you see the model up and running. There are two reasons for this: First, the model will be based on a set of assumptions no matter how much data is gathered beforehand; the second problem is that there will always be data-sensitive cases in practice that could not have been foreseen before the model is implemented.

The solution is to test the compliance model in real-time, and this is exactly where the lean approach comes in.

Minimum viable privacy program

In his influential book "The Lean Startup," Eric Ries says this to his readers:

format_quoteThe Lean Startup method ... is designed to teach you how to drive a startup. Instead of making complex plans that are based on a lot of assumptions, you can make constant adjustments with a steering wheel called the Build-Measure-Learn feedback loop.

Now replace "startup" with "privacy and data protection compliance," and read it again. It would be an intriguing experiment to do this for the whole book, but here is an excerpt of what it would be like.

The lean privacy compliance method aims to enter the "build" phase as quickly as possible with a minimum viable privacy program. The MVPP is the version of the model that enables a full turn of the Build-Measure-Learn loop with a minimum amount of effort and the least amount of development time.

The MVPP helps privacy professionals start the process of learning as quickly as possible. It is not necessarily the most elementary privacy program imaginable, though; it is simply the fastest way to get through the Build-Measure-Learn feedback loop with the minimum amount of effort. Rather than a standard development phase, which usually involves a long, thoughtful incubation period while striving for perfection, the goal of the MVPP is to begin the process of learning.

The lesson that should be learned from the MVPP is that any additional work beyond what was required to start learning is a waste.

Is it really viable?

Obviously, I am not the first person to come up with the idea that re-evaluation and feedback are significant elements of building a successful compliance model. What I am suggesting or rather emphasizing here is to adopt a lean approach at the beginning of developing a privacy program, thereby aiming for an MVPP instead of a perfect model.

I am aware that when it comes to legal compliance, a lean approach may seem risky, simply because it will not, by definition, aim for the final bulletproof model. But this is precisely the idea, and in the short term, I believe it will prove even more secure from a legal standpoint. This is because aiming for a bulletproof model and achieving it are completely different things, particularly in Turkey where there is no precedent as of yet, and no one knows the strategy the national supervisory authority will adopt.

My argument here is that a lean approach would not necessarily mean neglecting the data protection obligations of the business but would rather be particularly relevant in terms of measures to be taken in order to sustain compliance. Sustainability can only be achieved by programming privacy and data protection into the DNA of the business, and this is only possible if we constantly adapt and revise the model until it precisely fits the DNA.

To put this in perspective, registration obligations will definitely be a priority item for the MVPP. However, one should question whether we really need to draft a detailed employee handbook right away or not. Would it not make more sense to first build the MVPP, measure how employees react to it in practice and then detail the codes of conduct in the employee handbook?

The privacy trenches

There are subtleties, but a lean approach to privacy and data protection compliance basically suggests that what we offer as privacy professionals in Turkey (or over the globe for that matter) should not only include designing a privacy program but also adapting and revising it through at least several Build-Measure-Learn cycles.

A compliance model designed from our desks and clients' meeting rooms will simply not be enough. We must know what happens when our compliance model is applied in the trenches. A lean approach will allow us to have the time and the perspective we need to adopt the Build-Measure-Learn methodology and achieve sustainable compliance for our clients.

Tags

Comments

Related Stories

Turkey's digital literacy rate is arguably low, but every once in a while it takes a big leap forward.
More often than not, Turkey enters into a cycle where its public institutions try to cope up with the new norms of the digital age. It was precisely the case in 2014 when Twitter and YouTube were ...

After almost a decade of legislative struggles, on March 24, the Turkish Parliament finally adopted the Law on the Protection of Personal Data. The law is Turkey's first specific set of parliamentary rules addressing data protection concerns in all sectors.
It continues to be a big year from a data...

Until just this month, there had been no data protection law adopted at the national level in Turkey. Therefore, knowledge on privacy and data protection issues is not very widespread.
Data protection was an issue regularly raised and highlighted in almost all of the Development Reports prepared qu...

While the world has already discussed, debated and come to a conclusion by adopting different measures and amendments regarding the right to be forgotten, Turkey has also taken some firm steps forward with the decisions of the Court of Appeals in the way of establishing the right to be forgotten. Th...

The Turkish law on the protection of personal data came into force April 7, 2016. It is important not just because it is the first of its kind regulating the protection of personal data from a general perspective, but also because it brings many new obligations with which persons or entities dealing...

The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.

The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.